Improved handling of short-lived secrets in remote execution

BuildBuddy has supported passing short-lived secrets to remote actions via the env-overrides platform property, which redacts values from action cache entries. The new secret-env-overrides and secret-env-overrides-base64 properties extend this protection by also redacting values from workflow logs.

Pass secrets via remote exec headers so they're injected at invocation time without affecting the action hash:

bazel build //my:target \
  --remote_exec_header=x-buildbuddy-platform.secret-env-overrides=API_KEY=sk-abc123,OTHER_KEY=val

For values containing commas or special characters, base64-encode each KEY=VALUE pair:

bazel build //my:target \
  --remote_exec_header=x-buildbuddy-platform.secret-env-overrides-base64=$(echo -n 'CREDS={"token": "abc"}' | base64)

See the Secrets docs and RBE platform properties reference for more details.